The Web Is Broken – Botnet Part 2

Posted by todsacerdoti 6 hours ago

The Web Is Broken – Botnet Part 2(jan.wildeboer.net)

200 points | 93 commentspage 2

reconnecting 5 hours ago|

Residential IP proxies have some weaknesses. One is that they ofter change IP addresses during a single web session. Second, if IP come from the same proxies provider, they are often concentrated within a sing ASN, making them easier to detect.

We are working on an open‑source fraud prevention platform [1], and detecting fake users coming from residential proxies is one of its use cases.

[1] https://www.github.com/tirrenotechnologies/tirreno

andelink 46 minutes ago||

The first blog post in this series[1], linked to at the top of TFA, offers an analysis on the potential of using ASNs to detect such traffic. Their conclusion was that ASNs are not helpful for this use-case, showing that across the 50k IPs they've blocked, there is less than 4 IP addresses per ASN, on average.

[1] https://jan.wildeboer.net/2025/02/Blocking-Stealthy-Botnets/

gruez 41 minutes ago|||

>One is that they ofter change IP addresses during a single web session. Second, if IP come from the same proxies provider, they are often concentrated within a sing ASN, making them easier to detect.

Both are pretty easy to mitigate with a geoip database and some smart routing. One "residential proxy" vendor even has session tokens so your source IP doesn't randomly jump between each request.

gbcfghhjj 4 hours ago||

At least here in the US most residential ISPs have long leases and change infrequently, weeks or months.

Trying to understand your product, where is it intended to sit in a network? Is it a standalone tool that you use to identify these IPs and feed into something else for blockage or is it intended to be integrated into your existing site or is it supposed to proxy all your web traffic? The reason I ask is it has fairly heavyweight install requirements and Apache and PHP are kind of old school at this point, especially for new projects and companies. It's not what they would commonly be using for their site.

reconnecting 4 hours ago||

Indeed, if it's a real user from a residential IP address, in most cases it will be the same network. However, if it's a proxy from residential IPs, there could be 10 requests from one network, the 11th request from a second network, and the 12th request back from the same network. This is a red flag.

Thank you for your question. tirreno is a standalone app that needs to receive API events from your main web application. It can work perfectly with 512GB Postgres RAM or even lower, however, in most cases we're talking about millions of events that request resources.

It's much easier to write a stable application without dependencies based on mature technologies. tirreno is fairly 'boring software'.

sroussey 3 hours ago||

My phone will be on the home network until I walk out of the house and then it will change networks. This should not be a red flag.

armchairhacker 4 hours ago||

> I am now of the opinion that every form of web-scraping should be considered abusive behaviour and web servers should block all of them. If you think your web-scraping is acceptable behaviour, you can thank these shady companies and the “AI” hype for moving you to the bad corner.

Why jump to that conclusion?

If a scraper clearly advertises itself, follows robots.txt, and has reasonable backoff, it's not abusive. You can easily block such a scraper, but then you're encouraging stealth scrapers because they're still getting your data.

I'd block the scrapers that try to hide and waste compute, but deliberately allow those that don't. And maybe provide a sitemap and API (which besides being easier to scrape, can be faster to handle).

theteapot 2 hours ago||

Are ad blockers like AdBlock, uBlock effective against these?

neilv 2 hours ago||

Couldn't Apple and Google (and, to a lesser extent, Microsoft) pretty easily shut down almost all the apps that steal bandwidth?

arewethereyeta 6 hours ago||

I have some success in catching most of them at https://visitorquery.com

lq9AJ8yrfs 5 hours ago||

I went to your website.

Is the premise that users should not be allowed to use vpns in order to participate in ecommerce?

arewethereyeta 5 hours ago||

Nobody said that, it's your choice to take whatever action fits your scenario. I have clients where VPNs are blocked yes, it depends on the industry, fraud rate, chargeback rates etc.

ivas 5 hours ago||

Checked my connection via VPN by Google/Cloudflare WARP: "Proxy/VPN not detected"

arewethereyeta 5 hours ago||

Could be, I don't claim 100% success rate. I'll have a look at one of those and see why I missed it. Thank you for letting me know.

at0mic22 5 hours ago||

Strange the HolaVPN e.g. Brightdata is not mentioned. They've been using user hosts for those purposes for decades, and also selling proxies en masse. Fun fact they don't have any servers for the VPN. All the VPN traffic is routed through ... other users!

andelink 42 minutes ago||

Hola is mentioned in the authors prior post on this topic, linked to at the top of TFA: https://jan.wildeboer.net/2025/02/Blocking-Stealthy-Botnets/

Klonoar 4 hours ago|||

Is it really strange if the logo is right there in the article?

arewethereyeta 4 hours ago||

They are even the first to do it and the most litigious of all. Trying to push patents on everything possible, even on water if they can.

amiga-workbench 5 hours ago||

What is the point of app stores holding up releases for review if they don't even catch obvious malware like this?

_Algernon_ 5 hours ago||

They pretend to do a review to justify their 30% cartel tax.

klabb3 10 minutes ago||

Oh no, they review thoroughly, to make sure you don’t try to avoid the tax.

politelemon 4 hours ago|||

Their marketing tells you it's for protection. What they fail to omit is it's for their revenue protection - observe that as long as you do not threaten their revenue models, or the revenue models of their partners, you are allowed through. It has never been about the users or developers.

charcircuit 2 hours ago|||

The definition of malware is fuzzy.

SoftTalker 5 hours ago|||

Money

yungporko 3 hours ago||

it's funny, i've never heard of or thought about the possibility of this happening but actually in hindsight it seems almost too obvious to not be a thing.

pton_xd 5 hours ago||

I thought the closed-garden app stores were supposed to protect us from this sort of thing?

20after4 5 hours ago||

That's what they want you to think.

whstl 5 hours ago|||

Once again this demonstrate that closed gardens only benefit the owners of the garden, and not the users.

What good is all the app vetting and sandbox protection in iOS (dunno about Android) if it doesn't really protect me from those crappy apps...

musicale 2 hours ago|||

Sandboxing means you can limit network access. For example, on Android you can disallow wi-fi and cellular access (not sure about bluetooth) on a per-app basis.

Network access settings should really be more granular for apps that have a legitimate need.

App store disclosure labels should also add network usage disclosure.

20after4 5 hours ago||||

At the very least, Apple should require conspicuous disclosure of this kind of behavior that isn't just hidden in the TOS.

BlueTemplar 5 hours ago|||

Also my reaction when the call is for Google, Apple, Microsoft to fix this : DDOS being illegal, shouldn't the first reaction instead to be to contact law enforcement ?

If you treat platforms like they are all-powerful, then that's what they are likely to become...

kibwen 5 hours ago|||

If you find yourself in a walled garden, understand that you're the crop being grown and harvested.

More comments...